Forum Discussion
Solved
MACS Log Collector on RHEL not receiving logs
Hi I'm in the process of deploying a new log collector on RHEL 7, I've configured it in the MCAS portal and deployed the docker container, I can see it as connected in the console with no data received.
Now I've forwarded the logs to the server and I can see them if I run a tcpdump on the REHL host, but I'm not seeing anything in the container. /var/adallom/syslog/rotated/514/ only contains the config.json file and /var/adallom/discoverylogsbackup is empty
Is there a way I can see if the container is receiving the messages and why it's not processing them?
- Having logged a support ticket and had it bounce around for all the same things listed in that link we've eventually discovered a corrupt file in the container. Despite redeploying the container multiple times it appears there was an issue with /etc/rsyslog.d/50-default.conf it was inaccessible to things like vi and cat and appeared to prevent the rsyslog process from working correctly. Running touch on the file appears to have corrected the issue and we are now seeing the messages file being populated as expected.
2 Replies
- Try this first:
https://docs.microsoft.com/en-us/defender-cloud-apps/troubleshooting-cloud-discovery
And contact support if that does not help resolve the issue.- Having logged a support ticket and had it bounce around for all the same things listed in that link we've eventually discovered a corrupt file in the container. Despite redeploying the container multiple times it appears there was an issue with /etc/rsyslog.d/50-default.conf it was inaccessible to things like vi and cat and appeared to prevent the rsyslog process from working correctly. Running touch on the file appears to have corrected the issue and we are now seeing the messages file being populated as expected.
